popups of search engine sites - apparently not solved - Page 2

MicroBell · 01-20-2005, 01:39 AM

Few things to try...

AdPopupFilter\PopupZeroIEDLL.dll...

This popup blocker seams to have changed companys. This product is now carried by FirstNetSoft Tech but looks like Pcssafe Technologies produced it. While the Pcssafe Technologies come back clean as a legit popup blocker...the one your using has very limted info on it. I'm not 100% sure it can be trusted.

Download and install CleanUp http://cleanup.stevengould.org/

Download KillBox http://www.bleepingcomputer.com/file...re/KillBox.zip

Click start...run..type in services.msc. Locate MESSENGER and set to disable. Make sure it's also unchecked on the startup tab of msconfig.

Now run the cleanup utility and reboot when prompted. Boot directly to safe mode.

Run KILL box. Paste the following locations into KILL BOX one at a time. Checkmark the box that says "Delete on Reboot" "Unload Explorer Shell" and checkmark the box "Unregister DLL" (If available) Click the RED X and it will ask to reboot now...click NO...and proceed with the next file. Once you get to the last one click YES and it will reboot.

C:\WINDOWS\System32\zllictbl.dat
C:\WINDOWS\System32\ws249832.ocx

Once back to normal mode... do a file search for explorer.exe and list all directorys you find it in. Whats baffeling me..is it's not listed as a startup item, service..or listed in the run commands. I would also suggest you go through the Application data/startup folders for each user...

C:\Documents and Settings\All Users\Start Menu\Programs\Startup
C:\Documents and Settings\All Users\Start Menu
C:\Documents and Settings\Your User\Application Data
C:\Documents and Settings\Your User\Start Menu\Programs....ect

and look for any suspious files/folders or subfolders as it may be buried in there. I see nothing else in the logs.

jas25 · 01-20-2005, 12:27 PM

I also have PopupZeroIEDLL.dll on my desktop and there are no problems. Same size and date.

explorer.exe:
c:\windows
c:\windows\servicePackFiles\i386
same size and date.

"...is it's not listed as a startup item, service..or listed in the run commands." So this means that this thing must be kick started by one of the process already running, that seem legitimate?

Can a process/code attach itself to explorer.exe and run as its thread or must explorer.exe create the thread itself?

procesxp.exe (sysinternals.com) shows copies of the same thread running under explorer.exe when the laptop tries to connect to a new host. Isn't that a bit wierd too? Usually 3 threads with the exact name are listed in that program when a new host connection is attempted.

Format of the display is:
thread Explorer.EXE(PID):X -- X seems to be a sub pid of some sort, for each thread. And this repeats.

jas25 · 01-21-2005, 08:51 PM

Looks like that's it, I'm out of ideas.

Only thing I can think of is getting process etc. information while the computer is in safe mode and comparing that to info while it is in normal mode. Afterwards disabling one by one the stuff that runs in normal mode but not safe mode. There are no connection attempt in safe mode ("with network" mode)

If there was a way to get detailed information on running threads of explorer.exe.

Not a single popup though.

jas25 · 01-22-2005, 07:59 AM

The End - Solved :)

The offending dll was mydllf.dll, supposedly a part of an old old installation of DVD Express which was installed no later than mid 2002 and this dll's date was Jan 2004. It's quite possible that I had those connections going since beginning of 2004 (they seem harmless, with a purpose to generate hits for websites maybe). Just noticed that there is also a mydll.dll in the same folder that has a proper date, similar to when the program was installed.

It's a school laptop and whenever things went wrong I went and got it reimaged (so that I can have all the required software). It's possible that their images have this file on them. Once after getting reimaged I noticed the laptop making connections to hosts by itself and then I reimaged the laptop at home using an image I made earlier.

I was able to get explorer.exe threads information and then it was simple to get to the root of the problem.

First thread makes the connections, second thread launches at start up (memory stacks):
mydllf.dll+0x3533
0 SharedUserData!SystemCallStub+4
1 ntdll.dll!NtWaitForSingleObject+0xc
2 ntdll.dll!NtWaitForSingleObject+0xc
6 WS2_32.dll!connect+0x51
7 WININET.dll!InternetAutodialCallback+0x4cd

mydllf.dll+0x36e5
0 SharedUserData!SystemCallStub+4
1 ntdll.dll!ZwDelayExecution+0xc
2 ntdll.dll!ZwDelayExecution+0xc

As for the popups. The only filemon log of that I have is dated Jan 19th. After that I got no more popups, why? Simple, on that date Norton Antivirus downloaded updated defs and no longer allowed that Download.Trojan to be installed and run. I had copies of that .exe on my desktop and today when I right clicked on them Norton quarantined the files. So it seems to be a new trojan.

It took 7 days, time wasn't wasted entirely as I learned few things.
Thanks to everyone that helped.

Now, time to format... :)

01-20-2005, 01:39 AM	#21 (permalink)
MicroBell Manager Emeritus - Security Center, Expert Analyst, Moderator - Security Team; Rangemaster, TSF Academy & Supporter Join Date: Sep 2004 Location: Carmichaels, PA-USA Posts: 6,954 OS: Windows XP-Pro SP2	Few things to try... AdPopupFilter\PopupZeroIEDLL.dll... This popup blocker seams to have changed companys. This product is now carried by FirstNetSoft Tech but looks like Pcssafe Technologies produced it. While the Pcssafe Technologies come back clean as a legit popup blocker...the one your using has very limted info on it. I'm not 100% sure it can be trusted. Download and install CleanUp http://cleanup.stevengould.org/ Download KillBox http://www.bleepingcomputer.com/file...re/KillBox.zip Click start...run..type in services.msc. Locate MESSENGER and set to disable. Make sure it's also unchecked on the startup tab of msconfig. Now run the cleanup utility and reboot when prompted. Boot directly to safe mode. Run KILL box. Paste the following locations into KILL BOX one at a time. Checkmark the box that says "Delete on Reboot" "Unload Explorer Shell" and checkmark the box "Unregister DLL" (If available) Click the RED X and it will ask to reboot now...click NO...and proceed with the next file. Once you get to the last one click YES and it will reboot. C:\WINDOWS\System32\zllictbl.dat C:\WINDOWS\System32\ws249832.ocx Once back to normal mode... do a file search for explorer.exe and list all directorys you find it in. Whats baffeling me..is it's not listed as a startup item, service..or listed in the run commands. I would also suggest you go through the Application data/startup folders for each user... C:\Documents and Settings\All Users\Start Menu\Programs\Startup C:\Documents and Settings\All Users\Start Menu C:\Documents and Settings\Your User\Application Data C:\Documents and Settings\Your User\Start Menu\Programs....ect and look for any suspious files/folders or subfolders as it may be buried in there. I see nothing else in the logs. __________________ We Are The BORG Spyware KILLER and Adware Destroyer! Spyware/Adware Removal Tools Hijackthis Ad-aware SE Spybot Search&Destroy SpywareBlaster CWShredder

01-20-2005, 12:27 PM	#22 (permalink)
jas25 Member Join Date: Jan 2005 Posts: 23 OS: WinXP	I also have PopupZeroIEDLL.dll on my desktop and there are no problems. Same size and date. explorer.exe: c:\windows c:\windows\servicePackFiles\i386 same size and date. "...is it's not listed as a startup item, service..or listed in the run commands." So this means that this thing must be kick started by one of the process already running, that seem legitimate? Can a process/code attach itself to explorer.exe and run as its thread or must explorer.exe create the thread itself? procesxp.exe (sysinternals.com) shows copies of the same thread running under explorer.exe when the laptop tries to connect to a new host. Isn't that a bit wierd too? Usually 3 threads with the exact name are listed in that program when a new host connection is attempted. Format of the display is: thread Explorer.EXE(PID):X -- X seems to be a sub pid of some sort, for each thread. And this repeats.

01-21-2005, 08:51 PM	#23 (permalink)
jas25 Member Join Date: Jan 2005 Posts: 23 OS: WinXP	Looks like that's it, I'm out of ideas. Only thing I can think of is getting process etc. information while the computer is in safe mode and comparing that to info while it is in normal mode. Afterwards disabling one by one the stuff that runs in normal mode but not safe mode. There are no connection attempt in safe mode ("with network" mode) If there was a way to get detailed information on running threads of explorer.exe. Not a single popup though.

01-22-2005, 07:59 AM	#24 (permalink)
jas25 Member Join Date: Jan 2005 Posts: 23 OS: WinXP	The End - Solved :) The offending dll was mydllf.dll, supposedly a part of an old old installation of DVD Express which was installed no later than mid 2002 and this dll's date was Jan 2004. It's quite possible that I had those connections going since beginning of 2004 (they seem harmless, with a purpose to generate hits for websites maybe). Just noticed that there is also a mydll.dll in the same folder that has a proper date, similar to when the program was installed. It's a school laptop and whenever things went wrong I went and got it reimaged (so that I can have all the required software). It's possible that their images have this file on them. Once after getting reimaged I noticed the laptop making connections to hosts by itself and then I reimaged the laptop at home using an image I made earlier. I was able to get explorer.exe threads information and then it was simple to get to the root of the problem. First thread makes the connections, second thread launches at start up (memory stacks): mydllf.dll+0x3533 0 SharedUserData!SystemCallStub+4 1 ntdll.dll!NtWaitForSingleObject+0xc 2 ntdll.dll!NtWaitForSingleObject+0xc 6 WS2_32.dll!connect+0x51 7 WININET.dll!InternetAutodialCallback+0x4cd mydllf.dll+0x36e5 0 SharedUserData!SystemCallStub+4 1 ntdll.dll!ZwDelayExecution+0xc 2 ntdll.dll!ZwDelayExecution+0xc As for the popups. The only filemon log of that I have is dated Jan 19th. After that I got no more popups, why? Simple, on that date Norton Antivirus downloaded updated defs and no longer allowed that Download.Trojan to be installed and run. I had copies of that .exe on my desktop and today when I right clicked on them Norton quarantined the files. So it seems to be a new trojan. It took 7 days, time wasn't wasted entirely as I learned few things. Thanks to everyone that helped. Now, time to format... :)